UK: Data
retention and access consultation farce- Government to allow access
for crime purposes to records which can only be held for national
security This analysis first
appeared in Statewatch bulletin, volume 13 no 2, April 2003

In March 2003 the Home Office issued two consultation papers,
one on the retention of communications data, the other on access
to communications data. The deadline for responses is 3 June.
The latter came about after the government tried to rush through
a Statutory Order giving over 1,039 public authorities the right
to request communications data - after widespread objections
by civil society this was withdrawn on 18 June 2002.

The former, on data retention, dates from the passing of the
Anti-Terrorism, Crime and Security Act in December 2001. Section
103 says that the Home Secretary has to issue a consultation
paper before the government brings in a voluntary Code of Practice
by statutory instrument. It has taken the Home Secretary 16 months
to issue the consultation paper. The ATCS Act says that the Home
Secretary can order mandatory data retention if the voluntary
scheme does not work (Section 104). However, Section 105 limits
this power to two years from the passing of the Act which will
be 13 December 2003 - the Code is unlikely to be operative by
this date so the Home Secretary will have to put through another
statutory instrument extending his powers for another two years
(Section 105.4).

This begs the obvious questions: In December 2001 the ATCS Act
was rushed through parliament on the grounds that the new powers
were urgently needed to combat "terrorism" - does this
mean that the security, intelligence and police agencies do not
have access to communication data to combat "terrorism"
or does it mean they already have all the powers they need? Does
excessive delay not tell us that data retention is more to do
with combating crime in general than terrorism?

The retention of data - what the Act says

Under the Act the Home Secretary can issue a code of practice
(voluntary or mandatory) as is necessary:

"(a) for the purpose of safeguarding national security:
or
(b) for the purpose of prevention or detection of crime or the
prosecution of offenders which may relate directly or indirectly
to national security" (Section 102.3, emphasis
added)

The Act is thus unequivocal, the Home Secretary can lay down
a Code for the retention of communications data which is directly
or indirectly related to "national security".

What the government is trying to do is to extend this legal definition
to cover crime in general and in the case of some agencies to
those who deal with health and safety, trading standards and
local authority agencies.

Home Office officials try to argue that the Home Secretary
made it clear during the debate on the ATCS Act that it would
apply to crime in general. What the Home Secretary may have said
during the debate has no bearing on the legal situation, it is
what the Act says that counts. Moreover, if every statement by
every government Minister during the passage of legislation had
legal standing the courts would be in chaos.

Whatever the spin and glossy consultation document says the government
is assuming that the telecommunications industry will cooperate
and that the unlawful practice of accessing communications data
for law enforcement in general will become the norm.

Consultation - data retention

The consultation paper on data retention under the ATCS Act admits
that powers are only available to retain data for the purpose
of "national security" and related crimes but then
refers to crime in general throughout. It states that the "Home
Office does not consider" that data retained for the purposes
of national security "and not for any other reason, should
prevent the police or other public authorities having access
to that data when they can demonstrate a proportionate need for
it" - ignoring the fact that "proportionate" is
only relevant where an underlying power exists in the first place.

The Information Commissioner (the re-named Data Protection Commissioner)
who was consulted sits on the fence by saying that in relation
to data protection (as distinct from the underlying law) access
would not automatically be "unlawful.. but that it may be
in certain circumstances". The Commissioners advice
to communications service providers is that they should notify
their office that they are processing data for the purpose of
national security and crimes directly or indirectly associated
(citing the text of s.102.3 of the ATCS Act) which can hardly
be re-assuring if faced with a legal challenge. The Home Secretary,
David Blunkett, has apparently assured the industry that he will
stand side-by-side with them if they face any data
protection or human rights legal challenges - which is pretty
meaningless unless the Home Secretary is also sued.

Under the draft Code of practice subscriber information and telephony
data (date, time, location etc) would be kept for 12 months and
e-mail data for 6 months.

Consultation - access to communications data

Powers to access communications data is defined as traffic data
(including location of the users of mobile phones), service data
and subscriber data (names, addresses etc) under Chapter II of
Part 1 of the Regulation of Investigatory Powers Act 2000 (see
Statewatch vol 10 no 1).

Access under RIPA 2000 referred to current, "real-time"
(as a conversation is happening for example) or to further surveillance
- and not to data retention which only became an issue under
the ATCS Act 2002.

The reason the Statutory Order was withdrawn last year was because
it was revealed that some 1,039 public authorities would have
the right to request access to communications data. The consultation
paper seeks to justify access for a number of authorities such
as the Office of Fair Trading, the Immigration Service and Serious
Fraud Office but is utterly silent on exactly how many authorities
will have these powers under a so-called revised list. This list
still includes all local authorities in the country, only parish
councils (who have few powers anyway are to be excluded). A list
of potential authorities is provided on an obscure Home Office
page (see below) which is interesting not just for some dubious
justifications but because it shows that hundreds of thousands
of requests for access to communication data are already being
made by agencies even though there is no legal power to do so
(except for those agencies directly specified in RIPA 2000 like
the police).

What is evident from the detailed information is that you cannot
have hundreds of agencies authorising themselves to demand access
to communications data. The paper is much exercised to find a
mechanism to authorise them. One obvious option is judicial authorisation
but this would be a "burdensome duty on the courts",
another is the toothless Interception of Communications Commissioner
(see below) which the Home Office favours.

"Independent oversight" is to be provided by the Interception
of Communications Commissioner which is hardly likely to engender
public confidence. The holders of this post, and the Tribunal
to which members of the public can complain about surveillance,
were created under the 1985 Interceptions of Communications Act
(now replaced by RIPA 2000) have never in the eighteen years
of their existence upheld a complaint.

The paper ends with the following extraordinary observation that
where "intrusion into privacy is possible" and when
people are aware of this and oversight is in place:

"Those who then engage in conduct, knowing from information
placed in the public domain, that as a consequence their privacy
is liable to compromise, accept the risk to their privacy"

Source: The two consultation papers are available on the Statewatch
website: